e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100

General

Target

e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
Size

1.4MB
MD5

71cf9e17f89c88d5e287017149e04af8
SHA1

a822a06b3efaea3a17bfb8d17e549f8a904bba2a
SHA256

e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100
SHA512

74e7f8af01a77716a0a6625ede3b0d8cac50c1f93f27eb146248c4d32737268fb26f3d7da0db6f9b5b5d5189f63b2007d94f80d61fc92b9b70dfe406c0fc0437
SSDEEP

24576:YDOdboF3zDAL08WR42XibVaUXWskvhSrC6DDNbswu6aJ2k:Jg3wzAl6XxkpODNbRah

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

FB_3555.tmp.exeHost.exe

pid process

1540 FB_3555.tmp.exe
980 Host.exe

pid	process
1540	FB_3555.tmp.exe
980	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D64D26Q-732M-57FF-5QQB-A633DI5FIF36}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D64D26Q-732M-57FF-5QQB-A633DI5FIF36}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Drops startup file 1 IoCs

Processes:

e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe

Loads dropped DLL 4 IoCs

Processes:

e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exeFB_3555.tmp.exe

pid	process
1732	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
1732	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
1540	FB_3555.tmp.exe
1540	FB_3555.tmp.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exeHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe"	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe"	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe

description	pid	process	target process
PID 1228 set thread context of 1428	1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	iexplore.exe
PID 1228 set thread context of 1732	1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe

pid	process
1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1532 DllHost.exe

pid	process
1532	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe

pid	process
1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.execmd.exenet.exee1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exeFB_3555.tmp.exe

description	pid	process	target process
PID 1228 wrote to memory of 2020	1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	cmd.exe
PID 1228 wrote to memory of 2020	1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	cmd.exe
PID 1228 wrote to memory of 2020	1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	cmd.exe
PID 1228 wrote to memory of 2020	1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	cmd.exe
PID 1228 wrote to memory of 1428	1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	iexplore.exe
PID 1228 wrote to memory of 1428	1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	iexplore.exe
PID 1228 wrote to memory of 1428	1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	iexplore.exe
PID 1228 wrote to memory of 1428	1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	iexplore.exe
PID 1228 wrote to memory of 1428	1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	iexplore.exe
PID 2020 wrote to memory of 896	2020	cmd.exe	net.exe
PID 2020 wrote to memory of 896	2020	cmd.exe	net.exe
PID 2020 wrote to memory of 896	2020	cmd.exe	net.exe
PID 2020 wrote to memory of 896	2020	cmd.exe	net.exe
PID 896 wrote to memory of 784	896	net.exe	net1.exe
PID 896 wrote to memory of 784	896	net.exe	net1.exe
PID 896 wrote to memory of 784	896	net.exe	net1.exe
PID 896 wrote to memory of 784	896	net.exe	net1.exe
PID 1228 wrote to memory of 1732	1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
PID 1228 wrote to memory of 1732	1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
PID 1228 wrote to memory of 1732	1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
PID 1228 wrote to memory of 1732	1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
PID 1228 wrote to memory of 1732	1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
PID 1228 wrote to memory of 1732	1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
PID 1228 wrote to memory of 1732	1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
PID 1228 wrote to memory of 1732	1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
PID 1228 wrote to memory of 1732	1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
PID 1228 wrote to memory of 1732	1228	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
PID 1732 wrote to memory of 1540	1732	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	FB_3555.tmp.exe
PID 1732 wrote to memory of 1540	1732	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	FB_3555.tmp.exe
PID 1732 wrote to memory of 1540	1732	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	FB_3555.tmp.exe
PID 1732 wrote to memory of 1540	1732	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	FB_3555.tmp.exe
PID 1540 wrote to memory of 980	1540	FB_3555.tmp.exe	Host.exe
PID 1540 wrote to memory of 980	1540	FB_3555.tmp.exe	Host.exe
PID 1540 wrote to memory of 980	1540	FB_3555.tmp.exe	Host.exe
PID 1540 wrote to memory of 980	1540	FB_3555.tmp.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
"C:\Users\Admin\AppData\Local\Temp\e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
2⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
4⤵
PID:784

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
C:\Users\Admin\AppData\Local\Temp\e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\FB_3555.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_3555.tmp.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:980

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FB_3238.tmp.jpg
Filesize
858KB

MD5
076e3caed758a1c18c91a0e9cae3368f

SHA1
f5f8ad26819a471318d24631fa5055036712a87e

SHA256
954f7d96502b5c5fe2e98a5045bca7f5e9ba11e3dbf92a5c0214a6aa4c7f2208

SHA512
7b8b9adf2dc67871b06fb9094bcd81e8834643cd9af96a0af591c2978bbe2fb7f53ff9b54ae09099aed97db727cd42df4ef02662ef4c6d7cf8023561ddccc7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_3555.tmp.exe
Filesize
68KB

MD5
f3208f5f678309f72534b7495e59a732

SHA1
907dc10816898f14a5f9c8fc8871342f709b4467

SHA256
e9c3ee481ec43c32e05b36790bd067f67cf07c06a923f9c5d276d2b216bf64e2

SHA512
523a38a8d4d1e31a8c82d8e06f4ad511e252f79f83a57abbd9841d52f9691c802bd6b5b7b59f23f3ab19821b82890440566f9f17e820bc582f6801e616a86ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_3555.tmp.exe
Filesize
68KB

MD5
f3208f5f678309f72534b7495e59a732

SHA1
907dc10816898f14a5f9c8fc8871342f709b4467

SHA256
e9c3ee481ec43c32e05b36790bd067f67cf07c06a923f9c5d276d2b216bf64e2

SHA512
523a38a8d4d1e31a8c82d8e06f4ad511e252f79f83a57abbd9841d52f9691c802bd6b5b7b59f23f3ab19821b82890440566f9f17e820bc582f6801e616a86ac5

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
68KB

MD5
f3208f5f678309f72534b7495e59a732

SHA1
907dc10816898f14a5f9c8fc8871342f709b4467

SHA256
e9c3ee481ec43c32e05b36790bd067f67cf07c06a923f9c5d276d2b216bf64e2

SHA512
523a38a8d4d1e31a8c82d8e06f4ad511e252f79f83a57abbd9841d52f9691c802bd6b5b7b59f23f3ab19821b82890440566f9f17e820bc582f6801e616a86ac5

Download Submit
\Users\Admin\AppData\Local\Temp\FB_3555.tmp.exe
Filesize
68KB

MD5
f3208f5f678309f72534b7495e59a732

SHA1
907dc10816898f14a5f9c8fc8871342f709b4467

SHA256
e9c3ee481ec43c32e05b36790bd067f67cf07c06a923f9c5d276d2b216bf64e2

SHA512
523a38a8d4d1e31a8c82d8e06f4ad511e252f79f83a57abbd9841d52f9691c802bd6b5b7b59f23f3ab19821b82890440566f9f17e820bc582f6801e616a86ac5

Download Submit
\Users\Admin\AppData\Local\Temp\FB_3555.tmp.exe
Filesize
68KB

MD5
f3208f5f678309f72534b7495e59a732

SHA1
907dc10816898f14a5f9c8fc8871342f709b4467

SHA256
e9c3ee481ec43c32e05b36790bd067f67cf07c06a923f9c5d276d2b216bf64e2

SHA512
523a38a8d4d1e31a8c82d8e06f4ad511e252f79f83a57abbd9841d52f9691c802bd6b5b7b59f23f3ab19821b82890440566f9f17e820bc582f6801e616a86ac5

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
68KB

MD5
f3208f5f678309f72534b7495e59a732

SHA1
907dc10816898f14a5f9c8fc8871342f709b4467

SHA256
e9c3ee481ec43c32e05b36790bd067f67cf07c06a923f9c5d276d2b216bf64e2

SHA512
523a38a8d4d1e31a8c82d8e06f4ad511e252f79f83a57abbd9841d52f9691c802bd6b5b7b59f23f3ab19821b82890440566f9f17e820bc582f6801e616a86ac5

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
68KB

MD5
f3208f5f678309f72534b7495e59a732

SHA1
907dc10816898f14a5f9c8fc8871342f709b4467

SHA256
e9c3ee481ec43c32e05b36790bd067f67cf07c06a923f9c5d276d2b216bf64e2

SHA512
523a38a8d4d1e31a8c82d8e06f4ad511e252f79f83a57abbd9841d52f9691c802bd6b5b7b59f23f3ab19821b82890440566f9f17e820bc582f6801e616a86ac5

Download Submit
memory/784-57-0x0000000000000000-mapping.dmp

Download
memory/896-56-0x0000000000000000-mapping.dmp

Download
memory/980-80-0x0000000000000000-mapping.dmp

Download
memory/1228-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1228-58-0x0000000000260000-0x0000000000264000-memory.dmp

Filesize
16KB

Download
memory/1540-74-0x0000000000000000-mapping.dmp

Download
memory/1732-62-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1732-70-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1732-69-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1732-66-0x0000000000401190-mapping.dmp

Download
memory/1732-65-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1732-63-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1732-61-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1732-60-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1732-59-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2020-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads